A receptionist works behind the logo for Baidu.com, the Chinese search engine whose customers were hijacked by the first firing of the Great Cannon.
Photograph: NG HAN GUAN/AP

The “Great Cannon” has entered the cyberwar lexicon alongside the “Great Firewall of China” after a new tool for censorship in the nation was named and described by researchers from the University of Toronto.

The first use of the Great Cannon came in late March, when the coding site GitHub was flooded by traffic leaving it intermittently unresponsive for multiple days. The attack, using a method called “distributed denial of service” or DDoS, appeared to be targeting two specific users of the site: the New York Times’ Chinese mirror, and anti-censorship organisation GreatFire.org.

Both users focus their efforts on allowing Chinese residents to bypass the country’s Great Firewall – the system China uses to restrict access to parts of the internet.

The attack, which continued for almost two weeks, was observed by researchers led by the University of Toronto’s Bill Marczak. They concluded that it provides evidence of a new censorship tool above and beyond the Great Firewall.

“While the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the ‘Great Cannon’,” the researchers write.

“The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”

Where the Great Firewall was a tool for largely passive censorship – preventing access to material and providing the Chinese state with the ability to spy on its residents – the Great Cannon provides the ability to effectively rewrite the internet on the fly.

When used offensively, that ability can turn a normal internet user into a vector of attack. In the case of the GitHub attacks, the Great Cannon “intercepted traffic sent to Baidu infrastructure servers”, web servers run by China’s largest search engine “that host commonly used analytics, social, or advertising scripts”. Roughly 1.75% of the time it took that traffic and returned a malicious script, unwittingly enlisting the web surfer in the hacking campaign against GitHub. The scripts were not complex, doing little more than sending requests for content to GitHub; but the sheer quantity of users affected proved difficult for the site to handle.

The researchers conclude that the Great Cannon, like the Great Firewall before it, is likely to be operated by the Chinese government. Both systems appear to be hosted on the same servers, and appear to share source code for intercepting communications. As such, its operation points to a shift in Chinese censorship tactics, “and has a highly visible impact”, the research says. “It is likely that this attack, with its potential for political backlash, would require the approval of high-level authorities within the Chinese government.”

The Great Cannon’s first firing proved “exceptionally costly” to its target, GreatFire, and “may also reflect a desire to counter what the Chinese government perceives as US hegemony in cyberspace”, the researchers write.

But the Cannon is potentially able to be more damaging still. A technically simple change in its configuration would let it target specific individuals, even if they did not reside in China, and intercept their communications the minute they communicate “with any Chinese server not employing cryptographic protections”.

With the deployment of the Great Cannon, China is the third documented case of a government “tampering with unencrypted internet traffic to control information or launch attacks – the other two being the use of QUANTUM by the US NSA and UK’s GCHQ”.

One major question left unanswered, the researchers say, is why the Great Cannon was first deployed in such a publicly visible fashion.

“The repurposing of the devices of unwitting users in foreign jurisdictions for covert attacks in the interests of one country’s national priorities is a dangerous precedent – contrary to international norms, and in violation of widespread domestic laws prohibiting the unauthorised use of computing and networked systems,” they conclude.